#! /usr/bin/env bash
#
# A diff canonifier that removes all X.509 public key information
# which, in the specific case of the RDP protocol's misuse of
# md5WithRSAEncryption, seems that OpenSSL 1.0 is able to manually
# workaround by setting to rsaEncryption, but OpenSSL 1.1 still fails
# to extract the key, so the corresponding fields are always removed here.

awk '
BEGIN { FS="\t"; OFS="\t"; key_type_col = -1; key_length_col = -1; exponent_col = -1; curve_col = -1 }

/^#/ {
    if ( $1 == "#fields" )
        {
        for ( i = 2; i <= NF; ++i )
            {
            if ( $i == "certificate.key_type" )
                key_type_col = i-1;
            if ( $i == "certificate.key_length" )
                key_length_col = i-1;
            if ( $i == "certificate.exponent" )
                exponent_col = i-1;
            if ( $i == "certificate.curve" )
                curve_col = i-1;
            }
        }

    print;
    next;
}

key_type_col > 0 {
        # Mark it regardless of whether it is set.
        $key_type_col = "x";
}

key_length_col > 0 {
        # Mark it regardless of whether it is set.
        $key_length_col = "x";
}

exponent_col > 0 {
        # Mark it regardless of whether it is set.
        $exponent_col = "x";
}

curve_col > 0 {
        # Mark it regardless of whether it is set.
        $curve_col = "x";
}

{
    print;
}
'
